Date: Thu, 5 Mar 2015 22:10:27 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r380553 - head/security/vuxml Message-ID: <201503052210.t25MAR1F007521@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Thu Mar 5 22:10:26 2015 New Revision: 380553 URL: https://svnweb.freebsd.org/changeset/ports/380553 QAT: https://qat.redports.org/buildarchive/r380553/ Log: Document recently fixed PuTTY < 0.64 vuln. CVE-2015-2157. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Mar 5 21:23:01 2015 (r380552) +++ head/security/vuxml/vuln.xml Thu Mar 5 22:10:26 2015 (r380553) @@ -57,6 +57,44 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="92fc2e2b-c383-11e4-8ef7-080027ef73ec"> + <topic>PuTTY -- fails to scrub private keys from memory after use</topic> + <affects> + <package> + <name>putty</name> + <range><lt>0.64</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Simon Tatham reports:</p> + <blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html"> + <p>When PuTTY has sensitive data in memory and has no further need for + it, it should wipe the data out of its memory, in case malware later + gains access to the PuTTY process or the memory is swapped out to + disk or written into a crash dump file. An obvious example of this + is the password typed during SSH login; other examples include + obsolete session keys, public-key passphrases, and the private + halves of public keys.</p> + <p>PuTTY 0.63 and earlier versions, after loading a private key + from a disk file, mistakenly leak a memory buffer containing a + copy of the private key, in the function ssh2_load_userkey. The + companion function ssh2_save_userkey (only called by PuTTYgen) can + also leak a copy, but only in the case where the file it tried to + save to could not be created.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html</url> + <cvename>CVE-2015-2157</cvename> + </references> + <dates> + <discovery>2015-02-28</discovery> + <entry>2015-03-05</entry> + </dates> + </vuln> + <vuln vid="8505e013-c2b3-11e4-875d-000c6e25e3e9"> <topic>chromium -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201503052210.t25MAR1F007521>